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A METHOD FOR ACCELERATING CRYPTOGRAPHIC OPERATIONS 

ON ELLIPTIC CURVES 
This invention relates to a method for performing cpmputations in cryptographic 
systems utilizing elliptic curves. 

5 

BACKGROUND OF THE INVENTION 

A public-key data communication system may be used to transfer information 
between a pair of correspondents. At least part of the information exchanged is enciphered 
by a predetermined mat\ierpnj\ ra\ operation by the sender and the recipient may perform a 

10 complementary mathematical operation to decipher the information. 

Each correspondent has a private key and a public key that is mathematically related 
to the private key. The relationship is such that it is not feasible to determine the private key 
from knowledge of the public key. The keys are used in the transfer of data, either to encrypt 
data that is to be transferred or to attach a signature to allow verification of the authenticity of 

IS the data. 

For encryption, one correspondent uses the public key of the recipient to encrypt the 
message and sends it to the recipient The recipient then uses her private key to decipher the 
message. 

A common key may also be generated by combining one parties public key with the 
20 other parties private key. It is usual in such cases to generate new private and corresponding 
public keys for each communication session, usually referred to as session keys or ephemeral 
keys, to avoid the long-term keys of the parties being compromised. 

The exchange of messages and generation of the public keys may therefore involve 
significant computation involving exponentiation when the cryptographic system utilizes in 
25 Z*p, the finite field of integers mod p where p is a prime or the analogous operation of point 
multiplication when the system utilizes an elliptic curve. In an elliptic curve system* an 
ephemeral key pair is obtained by generating a secret integer, k and performing a point 
multiplication in the seed point Q to provide the ephemeral public key kQ. Similarly, the 
generation of a common ephemeral session key will require multiplication of a public key 
30 k a Q, which is a point on the curve, with a secret integer k b of the other correspondent so that 
point multiplication is again required. 
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A similar procedure is used to sign a message.except that the sender applies his 
private key to the message. This permits any recipient to recover and verify the message 
using the senders public key. 

Various protocols exist for implementing such a scheme and some have been widely 
5 used. In each case, however, the sender is required to perform a computation to sign the 
information to be transferred and the receiver is required to perform a computation to verify 
the signed information. 

In a typical implementation a signature component s has the form:- 

s = ae + k (mod n) 
10 where; in an elliptic curve crypto system, 

P is a point on the underlying curve which is a predefined parameter of the system; 

k is a random integer selected as a short term private or session key; 

R = kP is the corresponding short term public key; 

a is the long term private key of the sender; 
15 Q = aP is the senders corresponding public key; 

e is a secure hash, such as the SHA-1 hash function, of a message m and the short 

term public key R; and 

n is the order of the curve. 

The sender sends to the recipient a message including m, s, and R and the signature is 
20 verified by computing the value R 1 = (sP-eQ) which should correspond to R. If the 
computed values correspond then the signature is verified. 

In order to perform the verification it is necessary to compute the point 
multiplications to obtain sP and eQ, each of which is computationally complex. Where the 
recipient has adequate computing, power this does not present a particular problem but where 
25 the recipient has limited computing power, such as in a secure token or a "Smart card " 
application, the computations may introduce delays in the verification process. 

Key generation and signature protocols may therefore be computationally 
intensive. As cryptography becomes more widely used there is an increasing demand to 
implement cryptographic systems that are faster and that use limited computing power, such 
30 as may be found on a smart card or wireless device. 

Elliptic curve cryptography (ECC) provides a solution to the computation issue. ECC 
permits reductions in key and certificate size that translates to smaller memory requirements, 
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and significant cost savings. ECC can not only significantly reduce the cost, but also 
accelerate the deployment of smart cards in next-generation applications. Additionally, 
although the ECC algorithm allows for a reduction in key size, the same level of security as 
other algorithms with larger keys is maintained. 
5 However, there is still a need to perform faster calculations on the keys so as to speed 

up the information transfer while maintaining a low cost of production of cryptographic 
devices. 

Computing multiples of a point on an elliptic curve is one of the most frequent 
computations performed in elliptic curve cryptography. One method of speeding up such 
1 0 computations is to use tables of precomputed multiples of a point. This technique is more 
useful when a point is known beforehand. However, there are cases when multiples of 
previously unknown points are required (for example, in ECDSA verification). Thus there is 
a need for a system and method for facilitating point multiplications. 

1 5 SUMMARY OF THE INVENTION 

In general terms, the present invention represents the scalar k as a combination of 

components k s and an integer X derived from an endomonphisim in the underlying curve. 
The method is based on the observation that, given an elliptic curve (EC) having 

complex multiplication mapping over a finite field, there is an X, which is the solution to a 
20 quadratic, for which the complex multiplication mapping is equivalent to multiplying a point 

Q by X. It will often be less computationally expensive to compute XQ via the complex 

multiplication map, compared to treating X as a integer and performing the EC multiplication. 

In practice, point multiplication by other scalars (not just X) is required. It is also shown how 

the multiplication mapping may be used to compute other multiples of the point. 
25 In accordance with this invention there is provided a method for accelerating 

multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps 

of: 

selecting an elliptic curve over a finite field F such that there exists an endomorphism \y, 
where \|/(Q) = X'Q for all points Q(x,y) on the elliptic curve; and 
30 using smaller representation kj of the scalar k in combination with the mapping \y to compute 
the scalar multiple of the elliptic curve point Q. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become 
more apparent in the following detailed description in which reference is made to the 
appended drawings wherein: 
5 Figure 1 is a schematic diagram of a communication system; 

Figure 2 is a flow chart showing the steps of implementing a first embodiment of the 
present invention. 

Figure 3 is a flow chart showing the steps of providing parameters required to 
implement the method of Figure 2. 

10 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

For convenience in the following description, like numerals refer to like structures in 
the drawings. Referring to Figure 1, a data communication system 10 includes a pair of 
correspondents, designated as a sender 12, and a recipient 14, connected by a communication 

15 channel 16. Each of the correspondents 12,14 includes a cryptographic processor 18,20 

respectively that may process digital information and prepare it for transmission through the 
channel 16 as will be described below. Each of the correspondents 12,14 also includes a 
computational unit 19,21 respectively to perform mathematical computations related to the 
cryptographic processors 18,20. The processors 18, 20 may be embodied in an integrated 

20 circuit incorporated in the processor or may be implemented as instructions encoded on a data 
carrier to implement a predetennined protocol in conjunction with a general purpose 
processor. For the puipose of illustration it will be assumed that the correspondent 12 is in 
the form of a smart card having a dedicated processor 18 with relatively limited computing 
power. The processor 20 may be a central server communicating with the card by channel 16 

25 and channel 16 may be a wireless communication channel if preferred. 

' The cryptographic processors 1 8 implement an elliptic curve cryptographic system, of 
ECC, and one of the functions of the cryptographic processor 18 is to perform point 
multiplications of the form k*Q, where k is an integer and Q a point on the underlying elliptic 
curve, so that they may be used as a key pair k, kQ in a cryptographic scheme. As noted 

30 above, cryptographic computations such as the multiplication of an elliptic curve point by a 
scalar value are computationally expensive. 
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A method for accelerating scalar multiplication of an elliptic curve point Q(x,y) is 
shown in figure 2 and indicated generally by the numeral 50. The subject algorithm increases 
the speed at which the processors 12 can for example sign and verify messages for specific 
classes of elliptic curves. The method is based on the observation that given the general 
5 equation for an elliptic curve E: 

y 2 + ajxy + a 3 y = x 3 + a 2 x 2 + ape + a* (1) 
over a finite field, exemplified as F q (q is a prime power) and when there exists an 
endomorphism where i|/(Q) = X-Q for all points Q(x,y) on the elliptic curve, then 
multiplication of the point Q by an integer k may be accelerated by utilizing combinations of 
1 0 smaller representations kj of k in combination with the mapping \\t. The mapping \j/ also 
B allows precomputation of group elements and combinations thereof, which may be used in 

m subsequent calculation of kQ. 

j*j Referring now to figure 2, a flow chart of a general embodiment for accelerating point 

03 multiplication on an elliptic curve, is shown by numeral 50. The system parameters are first 

Jfj 15 selected. As an initial step an underlying elliptic curve E is selected to have certain 
L characteristics. In a first embodiment of the invention the generalized elliptic curve (1) may 

£n be expressed in the following form: 

m E:y 2 = x 3 + bmodp; where p is a prime. (2) 

J 3 Firstly, the modulus p can be determined such that there is a number, y where y e F p 

20 (F p is the field of size p consisting of all integers mod p), and y 3 = 1 mod p (a cube root of 
unity). If for example p = 7, then y = 2, since 2 3 mod 7=1. Such a y does not necessarily 
exist for all p, and therefore this must be taken into consideration when choosing the value of 
p. Typically, the chosen p should be at least 160 bits in length for adequate cryptographic 
strength. 

25 After the curve E has been selected, a mapping function \j/ is determined. The 

mapping function (x, y) -> (yx, y), simply maps one set of points on the curve to another 
set of points on the curve. There exists an integer X such that \j/(Q) = X*Q for all points 
Q(x,y) of interest on the elliptic curve, E. This integer X may be found by noting that X 3 e 1 
mod n, where n is the number of points on the elliptic curve E over F p i.e. the number of 

30 points on E(F P ). There may exist more than one solution for X in X 3 s 1 mod n, but only one 
of those solutions will satisfy the mapping function y. It is important to note that since y 3 
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mod p s l, both Q and \j/(Q) satisfy the equation for E. Therefore, instead of having to 
perform lengthy calculations to determine the results of multiplication by X, it can be done 
very efficiently using the results of the mapping function so that multiplication by X can be 
done very efficiently. 

5 A seed point Q is selected and the system parameters E, p, Q, X, iy(Q), and y are 

stored in the card 12, as indicated at 52, at manufacture time for use by the cryptographic 
processor 18. To implement a cryptographic procedure such as encryption, key agreement or 
signature it is necessary to select an integer k for use as an ephemeral private key k and 
generate a corresponding public key kQ. 
1 0 The value of k may be expressed as: - 

[ 2 k = (ko + k|X)modn (3) 

3jj where n is the number of points on E(F P ) and ko and k| are integers. The point k*Q 

IH then becomes: 

| k-Q = (koQ + k|XQ)modn (4) 

u 15 For some cryptographic operations the value of k may be chosen at random and in 

□ these cases, rather than select k it is possible to select values for ko and kj at random, having a 

=j length of [log2 (n)]/2 not including sign bits, (i.e. the length of the kj's are chosen to be at 

least one half the length k) and then calculate the value for k using equation (3). 
Having selected the values of ko, kj as indicated a 54 in figure 2, the right side of equation (4) 
20 can be calculated quickly using an algorithm analogous to the "Simultaneous Multiple 
Exponentiation" as described in the "Handbook of Applied Cryptography" (HAC) by 
Menezes et. al.(Algorithm 14.88) and indicated at 56. For convenience the algorithm is 
reproduced below. It may be noted that in an additive group exponentiation is analogous to 
addition, thus replacing the multiplication in the algorithm with addition, yields the 
25 following: 

Algorithm 1 Simultaneous Multiple Addition 

INPUT: group elements go, g lf g/., and non negative t-bit integers eo, c u e M . 
30 OUTPUT: goeo + gie, + ... + g,_,e M . 



1 Li 



stepl . Precomputation. For / from 0 to (2 ; - 1): 
where i = (i M . . . i 0 ) 2 
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step2. A <— 0 

step3. For i from 1 to / do the following: 
A<r-A + A 9 A<r-A + G fi 

step4. Return (A) where A = g 0 eo + giei + . . . + g/.ie M 

5 

Applying this algorithm to equation (4) it can be seen that there are two group 
elements, go, gi namely Q and A.Q, so that / = 2 and two integers eo, ei namely k^k^ The 
algorithm permits precomputation of some of the values and initially G* is precomputed. The 
1 0 results of precomputation of Gi with / = 2 is shown in table 1 . 
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go + gi 
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e 1. 



After performing a point addition to construct the point: Q + vy(Q). It is possible to fill 
15 in table 1 with the computed elements to yield table 2. These elements may be pre-computed 
and stored in memory as shown at step 58 in figure 2. 
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20 Before step of the algorithm can be performed, G 7 has to be determined and accordingly Ij 

through I, have to be found as indicated at 60. A notional matrix or combing table may be 
constructed using the binary representation of k*. If, for example, ko = 30 and ki = 10, then t 
has the value five since the maximum number of bits in the binary representation of ko 
through ki is five and the notional matrix constructed from their binary representation is 
25 shown in Table 3. I, is determined by the number represented in the I th column where the first 
row contains the least significant bit, the second row contains the next significant bit, etc. 
Therefore it can be seen from table 3 that I, = I 2 = (11) = 3, 1 3 = (01) =1 , 14 =3, and I 5 = 0. 
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k, 
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0 



Table 3 



All the components needed to complete the algorithm are available and the iteration of 
step three is performed as shown at 62. 
5 Initially A <— O and i is set to 1 . 

Ii = Ij which from table 3 is equal to 1 . G i% is therefore G\ which from table 2 is Q. 

The value of A from the iteration for I = 1 is therefore O + Q = Q. 

For the next iteration where i = 2 the initial value of A is Q so A <— Q+Q = 2Q 
Ii = I 2 = 3 from table 3. G 7j therefore equates to G3 from table 2 which is Q+i|/(Q). 

10 A + G h therefore is computed as 2Q+Q+\|/Q = 3Q+\j/Q. 

The iterations continue for each value of i set out in table 4 until after the 5 lh iteration 
the value for koq = k, X.Q, i.e. kQ is computed. ^ 
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3Q + vj/(Q) 
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7Q + 2m/(Q) 
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15Q + 5m/(Q) 


5 


30Q+ 10y(Q) 



Table 4 



15 Each iteration requires a point doubling (A+A) and a point addition (A+ G /t ) although 

in some cases the value of G 7 may be O that will reduce the computation. 

Thus it may be seen that this method will require a number of point doubles equal to 
max (log2(kj)} , and almost as many point additions. The number of point additions can be 
reduced using windowing (Alg. 14.85 HAC) and exponent recoding techniques. Since the 
20 value of i and G* can be precomputed, the point additions are easily performed by retrieving 
the appropriate precomputed element G, from table 2. Once kP has been computed, it may be 
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used as the correspondents 12 ephemeral public key in encrypting or signing transmissions 

over the channel 1 6. 

To summarize, for cryptographic operations like encryption and Diffie-Hellman, 
signature, an integer k is required with a corresponding public key kQ, computed. The values 
5 ko and kj are chosen at random, each having a length one half the length of n and the term 
koQ = kjXQ generated using a suitable algorithm. When the k's are chosen in this way, the 
method seems to be as secure as the random generation of k itself. Of course it is possible to 
choose the k/s to have fewer bits in order to improve efficiency. 

In the above technique, the method of writing k=ko+ki^ in conjunction with 
10 simultaneous combing achieves a speed up of the simultaneous multiple addition algorithm. 
The technique of writing k=ko+ki>> may also be used with the scalar multiplication techniques 
to advantage, namely with winding, combing ,etc. 

For some mappings vj/, it is also possible to use more than two sub k's. It is possible 
for some \j/'s to write k=ko+k,X+k 2 X 2 allowing the value of k to be computed by applying the 
15 simultaneous multiple addition algorithm. 

In a second embodiment of the invention a different form of the generalized elliptic 
curve equation (1) is used, namely: 

y 2 = (x 3 - ax) mod p (5) 
Once again, p will be a prime number having at least 160 bits. For this type of curve, the 
20 properties required for y are different. It is now required to find a value such that 

y 2 = -1 mod p. A change in the property of y requires a different mapping function \\t* to be 
used. In this embodiment the mapping takes the form vj/ 1 : (x, y) -> (-x, yy). If (x,y) is on the . 
curve, then M/'(x,y) is also on the curve. In this case k 4 = 1 mod n (n is still the number of 
points on E(F P )), and therefore X can be calculated. The mapping \|/'(Q) = X-Q is performed as 
25 before and once again multiplication by k can be done very efficiently for this curve. The 
equation for k in this embodiment is the same as in the first embodiment and is represented 
by: 

k = (ko + kiA.)modn (6) 
This equation is the same as in the previous embodiment, having only two group elements. 
30 Thus using the group elements Q and Q+ y'CQ) in the algorithm 1, the point k-Q may be 

calculated. This computation will require a number of point doubles equal to max{log2(kj)}, 
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and a similar number of point additions. As described earlier the number of point additions 
can be reduced using windowing and exponent recoding techniques. 

This method applies to other elliptic curves, so long as there exists an efficiently 
computable endomorphism, 
5 The above embodiments assume that k can be chosen at random and therefore ko and 

ki can be selected instead and determine k. For cryptographic protocols, where it is not 
possible to choose k, it is first necessary to find ko, ki of the desired "short" form from the 
given value of k such that k = (ko + k } X) mod n. In some cases, more than two k's can be 
used to advantage. 

10 As may be seen in the embodiments described above when a point is known 

beforehand, tables can be built to speed multiplication. However, there are cases when 
multiples of previously unknown points are required (for example, this can occur in ECDSA 
verification) and it is then necessary to take the value of k as provided and then determine 
suitable representations for kj. 

15 Thus in a third embodiment, system parameters and a value k is provided, the point Q, 

the required multiple k, and the complex multiplication multiple X are known. It is necessary 
to determine the "short" kj's from the value for k, which is predetermined. A method for 
doing this described as follows and illustrated in the flow chart of figure 3. As a pr'e- 
computation (not requiring k) we compute two relations: 

20 ao + b 0 ^ = 0 mod n 

ai+biX = 0modn 

such that a* and b* are numbers smaller than n. It is preferable that a* and bj are as small as 
possible, however, the present method has advantages even when a* and b* are not minimal. 
The pair, aj and bj, where a< and bj are both small, can be viewed as a vector, Uj with a small 
25 Euclidean length. Typically the method described below produces ko and kj having 
representations one half the size of the original k. 

In the present embodiment, kQ can be computed efficiently by utilizing precomputed, 
short vector representations to obtain an expression of the form: 

koQ + X kj Q 

30 This is accomplished by using precomputed vectors to derive fractions f Q and/j that do 

not require knowledge of k. A vector z is generated from the combination of fractions^ and 
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/i and k. The vector z is used to calculate a second vector v' where v' = (vo ,vj ) and the value 
of kQ calculated as 

vo y Q + WQ (8) 
The method of achieving this solution is described below in greater detail. 
5 To produce small a\ and b i5 it is possible to make use of the L 3 - lattice basis reduction 

algorithm (HAC p.l 18), which would directly result in short basis vectors. However, in this 
preferred embodiment the simple extended Euclidean algorithm is employed on the pair (n, 
X). The extended Euclidean algorithm on (n, X) produces linear combinations qn + d*X = rj, 
where the representation of r; (e.g. bit-length) decreases and the representation of Cj and d* 

1 0 increases with i. 

The two smallest values of |(dj, ri )| resulting from using the extended Euclidean 
algorithm are saved. The size of these vectors are measured with the squared Euclidean norm 
|(dj, Ti )| = di 2 + n 2 . The terms in these minimal relations are denoted d 0 , f 0 and d, , f, . And 
will typically occur in the middle of the algorithm. Even if the minimal relations are not 

15 retained, suboptimal relations may still give the method an advantage in the calculation of 
point multiples. 

The values of a* and bi are constructed by defining ao = - f 0 , b 0 = d 0 and a t = -r, , 

bi = d 0 all of which may be precomputed. 

The next task is to find a small representation for the multiple k. 
20 Given the computation of ao,b 0 and aj,bi it is possible to designate the vectors u D ,ul, 

where u c = (ao, b 0 ) and u } = (a u bj). These vectors satisfy a* +b^ = 0 (mod n). The 

multiplication of the group elements Q by the vector v = (v 0 , vi) is defined as (v 0 + v,X)Q. 

Since a* +b;X = 0 (mod n), u<>R = = 0 for any group element R. Hence for any integers Zo 

and Zj, v'R = (v - zou 0 - 2iUi)R for any group element R. 
25 Integers Zo and Z\ may be chosen such that the vector v' = v - zou 0 - ZiUj has 

components that are as small as possible. Again, this method will have an advantage if the 

components of v' are small, but not necessarily minimally so. 

The appropriate Zo and z\ are calculated by converting the basis of v into the basis {uo, 

Ui}. The conversion between basis involves matrix multiplication. To convert the vector v = 
30 (vo, vi) from the {u 0 , uj} basis to the standard orthonormal basis {(1,0),(0,1)}, 



11 



WO. 00/39668 



PCT/CA99/01222 



[a 0 b 0 
a, b } 



To convert in the other direction, from the standard orthonormal basis {(1,0),(0,1)} to the (u 0 , 
Ui) basis, the multiplication is simply by the inverse of M, 

v<^, = v WMMn i*v~*«M) = Wl)l aA l _ aA [} ai 

Since the vector v = (k, 0) has a zero component, the bottom row of inverse(M) is not 
required, and therefore to convert to the {u 0 , Ui} basis only the fractions 



a 0 b x -a x b 0 



and 

a 0 b t -a x b 0 

are needed. 

The fractions fo and f\ may be precomputed to enough precision so that this operation 
may be effected only with multiplication. It should be noted that the computations leading to 
these fractions do not depend upon k, therefore they can be computed once when the elliptic 
curve is chosen as a system parameter, and do not need to be recalculated for each k. 
Similarly the vectors v, u Q and Ui may be precomputed and stored. 

Once a value of k is selected or determined the value of kQ may be computed by first 
calculating z = (zo, Z\\ where z is defined as (zo, z0 = (round(kf 0 ), round(kfi)). 
Other vectors near to z will also be useful, therefore rounding could be replaced with floor or 
ceiling functions or some other approximation. 

Once a suitable z has been determined, an efficient equivalent to v (k,0) is calculated 
by v ' = (v 0 ', vi') = v - zotio -ZiUi. The phrase "efficient equivalent" implies a vector v' such 
that v'P = vP and v' has small coefficients. The value kQ is then calculated as v 0 'Q + v/XQ. 
This value can be calculated using simultaneous point addition as described above, with 
enhanced efficiency obtained from the use of non-adjacent form (NAF) recoding as described 
above and as described in H.A.C. 14.7 at page 627. Thus, even where k is predetermined, 
values of ko and ki can be computed and used with the mapping function to obtain a value of 
kQ and hus he key pair k, kQ. 
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For the case where k is to be separated into 3 portions k = ko + kjX + k 2 X 2 9 small 
vectors can be obtained from L 3 -row-reducing 
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5 A small vector equivalent (three-dimensional row) can be obtained in a similar way to 

the two-dimensional case. 

Using these methods to determine the value of k*Q greatly reduces the processing 
power required by the cryptographic processors 12. It also increases the speed at which these 
repetitive calculations can be done which, in turn, reduces the time to transfer information. 

10 It will be appreciated that once the scalar multiple k has been represented in terms of 

shortened components k = ko+ k } X + k 2 X 2 + .. .kn^X™" 1 , other options for efficient elliptic 
curve scalar multiplication may be used in place of or in conjunction with the simultaneous 
multiple addition algorithm. These options include windowing (fixed and sliding), combing, 
bit recoding and combinations of these techniques. 

1 5 One particularly beneficial technique permits tables built for one component of the 

multiplication, say ko, to be reused for other components ki etc. This is accomplished by 
transforming the computed table elements by applying the mapping y as required. 

As a further exemplification, an embodiment where k can be recast as k = ko+ k\X + 
k 2 X 2 , where k has m-bits and k; have roughly m/3 bits is described below. 

20 Once the components kj have been determined, they may be recoded from the binary 

representation to the signed binary representation having less non-zero bits. This recoding 
can take the Non- Adjacent-Form (NAF), where every 1 or -1 bit in the representation if ki is 
non-adjacent to another non-zero in the signed binary string. This recoding is described in 
HAC. 14.7 p. 627. 

25 Once each ki has been recoded, a table can be constructed to aid in computing k { XP . 

A NAF windowing table precomputes certain short-bit length multiples of XP . The 
width of the window determines the size of the table. As kj has been recordedto have no 
adjacent non zeros, odd window widths are suitable. A 3-bit wide NAF window would 
contain 
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□ 



1 0 1 



1 0- 1 



The recoded kj values are built by concatenating these windows, and padding where 
necessary with zeros (H.A.C., p. 616). 
5 The required number of additions can be reduced with use of this table, since it is 

necessary to add or subtract an EC point only for every window encountered instead of for 
every non zero bit. 

Initially therefore this technique is applied to the computation of koP. 

The table built for the koP calculation can be applied to the k ( A P calculation if the 

10 table elements are mapped with the \\j mapping using the operator y . Similarly, k 2 A 2 P can 
be accelerated by using the table built for koP, but mapping the table elements with y 2 . 

In applying the sliding window technique to the components, only one set of 
doublings need be performed. 

To illustrate this example of a preferred embodiment the following example will be 

15 used: 

Ifk = [101 10101 1101] 2 + [11 1010101 101] 2 X, 
then recoding 

k = [10-100-10-100-101] + [1000-10-10-10-101] X, 

20 A 3-bit window table on P is precomputed containing 1*P, [10-1]*P, [101]*P. This 

requires two EC additions, and two EC doublings. 
After this, kP can be calculated as 

kP = [10-100-10-100-101] P + [1000-10-10-10-101] • KP 
by adding/subtracting elements from the table. 
25 This can be done using an accumulator A as follows: 

A<— 0 ; initialize 

A += V|/ (1 • P) ; consuming the top bit of k r Q 

A <- 2 A ; double A 

A<- 2 A 

30 A«-[10-1]P ; consuming the top 3 bits of k r 0 
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A<-2 4 A 

A . = [101] V P 

A«-2A 

A .= [101]P 

A<-2 4 A 

A -= [101] M/P 

A*- 2 2 A 

A - = [10-1]P 

A + = yP 



consuming a 3 bit window of k[ 
double A 

consuming 3 bits of k[ 

; consuming 3 bits of k[ 

; consuming the last of k^ 
; producing kP. 



30 



In summary, the previously described technique is as follows. Given an elliptic curve 
E and an endomorphism \|/, there corresponds an integer X such that XQ=h/(Q) for a11 points 
QeE. Select an integer m and compute an equivalent number m of "short basis vectors" bi, 
b 2 , . . .,b m .. Each such basis vector corresponds to an integer, and each such integer is 
divisible by the number of points n = # EfFp 1 ") (i.e. the number of points). Now, given an 
integer k, (0 < k < n), we write k = ^k. • X , where the kj's are chosen to be "short". This is 
done by finding the difference between a certain vector (which represents k) and a nearby 
vector in the lattice generated by bj, b2, ...,b m . 

The following embodiment explicitly describes an application of the previously 
described technique (endomoiphism and basis conversion and "Shamir's trick") to elliptic 
curves defined over composite fields. In particular, we describe an application to curves 
E(F p m ) where p is an odd prime is described. The following embodiments exemplify 
techniques for such curves. 

This technique is described in the case where the map \y is the Frobenius map vj/(x,y) 
= (x p y) and E , A3 (Fp m ) where A,B<=F P . 

In this case, it is known that the Frobenius map satisfies the \|/ 2 - tvj/ + p = 0, where t = 
p+l-SECFp™). 

It follows that X 2 - XX + p = 0 mod n and so A. 2+I - tX 1+l + pX l = 0 mod n. 
Note that the vectors; 

( x"**'.., x , x ) 
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b, 



(0, 
( 



0, 0,... 



0, 1, 



P) 
P. 0) 



1,-t, 



b, 



(1. 

K 
(P. 



-t, p,0,0... 
p, 0,0, ... 
0, 0,0,... 



o, 



...,0) 

...,o, 1) 

1,-t) 



consist of m "short" basis vectors of the vector space Q". It follows that to compute 



k-Q on such a curve we can proceed using the vectors b|,b 2 ...b m and the technique described 
previously. 

In the above embodiments it will be appreciated that k,XQ can be obtained from 
u/(kQ) is the mapping is more efficient than addition. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art 
without departing from the spirit and scope of the invention as outlined in the claims 
appended hereto. 
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